public class PACEProtocol extends Object
Constructor and Description |
---|
PACEProtocol(PassportService service,
SecureMessagingWrapper wrapper)
Constructs a PACE protocol instance.
|
Modifier and Type | Method and Description |
---|---|
static byte[] |
computeKeySeedForPACE(KeySpec keySpec) |
static SecretKey |
deriveStaticPACEKey(KeySpec keySpec,
String oid)
Derives the static key K_pi.
|
PACEResult |
doPACE(KeySpec keySpec,
String oid,
AlgorithmParameterSpec params)
Performs the PACE 2.0 / SAC protocol.
|
PACEResult |
doPACE(SecretKey staticPACEKey,
String oid,
AlgorithmParameterSpec params)
Performs the PACE 2.0 / SAC protocol.
|
byte[] |
doPACEStep1(SecretKey staticPACEKey,
Cipher staticPACECipher)
The first step in the PACE protocol receives an encrypted nonce from the PICC
and decrypts it.
|
AlgorithmParameterSpec |
doPACEStep2(PACEInfo.MappingType mappingType,
String agreementAlg,
AlgorithmParameterSpec params,
byte[] piccNonce)
The second step in the PACE protocol computes ephemeral domain parameters
by performing a key agreement protocol with the PICC nonce as
input.
|
AlgorithmParameterSpec |
doPACEStep2GM(String agreementAlg,
AlgorithmParameterSpec params,
byte[] piccNonce) |
AlgorithmParameterSpec |
doPACEStep2IM(String agreementAlg,
AlgorithmParameterSpec params,
byte[] piccNonce) |
PublicKey |
doPACEStep3ExchangePublicKeys(PublicKey pcdPublicKey,
AlgorithmParameterSpec ephemeralParams) |
KeyPair |
doPACEStep3GenerateKeyPair(String agreementAlg,
AlgorithmParameterSpec ephemeralParams) |
byte[] |
doPACEStep3KeyAgreement(String agreementAlg,
PrivateKey pcdPrivateKey,
PublicKey piccPublicKey) |
byte[] |
doPACEStep4(String oid,
PACEInfo.MappingType mappingType,
KeyPair pcdKeyPair,
PublicKey piccPublicKey,
SecretKey macKey) |
static byte[] |
generateAuthenticationToken(String oid,
SecretKey macKey,
PublicKey publicKey)
The authentication token SHALL be computed over a public key data object (cf.
|
public PACEProtocol(PassportService service, SecureMessagingWrapper wrapper)
service
- the service for sending APDUswrapper
- the already established secure messaging channel (or null
)public PACEResult doPACE(KeySpec keySpec, String oid, AlgorithmParameterSpec params) throws PACEException
keySpec
- the MRZoid
- as specified in the PACEInfo, indicates GM or IM or CAM, DH or ECDH, cipher, digest, lengthparams
- explicit static domain parameters the domain params for DH or ECDHPACEException
- on errorpublic PACEResult doPACE(SecretKey staticPACEKey, String oid, AlgorithmParameterSpec params) throws PACEException
staticPACEKey
- the password keyoid
- as specified in the PACEInfo, indicates GM or IM or CAM, DH or ECDH, cipher, digest, lengthparams
- explicit static domain parameters the domain params for DH or ECDHPACEException
- on errorpublic byte[] doPACEStep1(SecretKey staticPACEKey, Cipher staticPACECipher) throws PACEException
staticPACEKey
- the static PACE keystaticPACECipher
- the cipher to reusePACEException
- on errorpublic AlgorithmParameterSpec doPACEStep2(PACEInfo.MappingType mappingType, String agreementAlg, AlgorithmParameterSpec params, byte[] piccNonce) throws PACEException
mappingType
- either CAM, GM, or IMagreementAlg
- the agreement algorithm, either DH or ECDHparams
- the static domain parameterspiccNonce
- the received nonce from the PICCPACEException
- on errorpublic AlgorithmParameterSpec doPACEStep2GM(String agreementAlg, AlgorithmParameterSpec params, byte[] piccNonce) throws PACEException
PACEException
public AlgorithmParameterSpec doPACEStep2IM(String agreementAlg, AlgorithmParameterSpec params, byte[] piccNonce) throws PACEException
PACEException
public KeyPair doPACEStep3GenerateKeyPair(String agreementAlg, AlgorithmParameterSpec ephemeralParams) throws PACEException
PACEException
public PublicKey doPACEStep3ExchangePublicKeys(PublicKey pcdPublicKey, AlgorithmParameterSpec ephemeralParams) throws PACEException
PACEException
public byte[] doPACEStep3KeyAgreement(String agreementAlg, PrivateKey pcdPrivateKey, PublicKey piccPublicKey) throws PACEException
PACEException
public byte[] doPACEStep4(String oid, PACEInfo.MappingType mappingType, KeyPair pcdKeyPair, PublicKey piccPublicKey, SecretKey macKey) throws PACEException
PACEException
public static SecretKey deriveStaticPACEKey(KeySpec keySpec, String oid) throws GeneralSecurityException
keySpec
- the key material from the MRZoid
- the PACE object identifier is needed to determine the cipher algorithm and the key lengthGeneralSecurityException
- on errorpublic static byte[] computeKeySeedForPACE(KeySpec keySpec) throws GeneralSecurityException
GeneralSecurityException
public static byte[] generateAuthenticationToken(String oid, SecretKey macKey, PublicKey publicKey) throws GeneralSecurityException
oid
- the object identifier as indicated in MSE Set ATmacKey
- the KS MAC key derived from the key agreementpublicKey
- the received public keyGeneralSecurityException
- on error while performing the MAC operationCopyright © 2016. All rights reserved.